Workshop Tackles the Hard Problem of Identity in the Browser

Today’s approaches for managing trusted identities online, social networking,
security, and privacy are uneven and at times incompatible. Tackling
this market fragmentation, the W3C organized the Identity in the Browser
workshop on 24-25 May in Mountain View (California, USA). The goal
of the workshop was to bring active practitioners together to explore
what can be done to increase security and privacy relating to Web-based
user identity and to try and reduce fragmentation within the identity
eco-system found on the Web.

Over 80 representatives from various organizations attended the two-day
workshop, including participants from the major browser developers such
as Google, Microsoft, Apple, and Mozilla. The room was filled with
active practitioners across the spectrum of identity, security, and
design professionals. During the full-day sessions, the workshop
explored requirements and technical proposals for standardizing
approaches to securely handling Web-based user identity.
Among the topics discussed were:

Cryptographic APIs: Currently there is no common API to access browser
support for cryptography, forcing developers to rely on freely available
cryptographic libraries that may not be entirely safe. Given that
high-quality cryptographic procedures do exist within most browsers, it
may be possible to make a common set available via standardized APIs.

Standardized Identity/Account Managers: Almost every browser has some
sort of an account manager designed to handle user identity data.
Unfortunately, they do not all function the same way making it difficult
to port identity data between browsers or Cloud-based services. There is
also little integration to the underlying device OS, making it difficult
to leverage its own account management mechanisms.

Identity in Forms: Most browsers also facilitate Web interactions by
offering to store, and automatically pre-fill form fields. While their
techniques often assist users in filling out forms, there are security
and privacy concerns with the practice. All of the browser developers
present at the workshop agreed that their current heuristics for form
management could be improved by some simple standardization.

Private Browsing and Cookie Management: A common theme was that some
aspects of identity management in a browser (including cookie states)
seemed contradictory to current proposals for “do-not-track” and
“anonymity protection”. Possible research work was considered for what
should constitute a standardized “private browsing mode”. Other
proposals included updating the user interface to improve understanding
of how to effectively manage cookies in support of more controlled or
anonymous browsing.

Security Indicators: There are currently significant differences between
browsers on how they display security indicators to users. They often
leverage various colors and icons within the URL bar that relate to the
“trustworthiness” of the digital certificates used when setting up a
secure connection. Unfortunately, none of them appear compatible,
raising questions about their effectiveness. While standardization may
be premature, there was interest in building a common place to share
research on security indicators as a first step.

A final detailed report will be published by the end of June that
summarizes the findings and proposed next steps coming out of the
workshop. To join the discussion, join us on public-identity@w3.org by
e-mailing public-identity-request@w3.org with “subscribe” in the title.
The W3C is looking forward to hearing from you, and wants your help in
making identity integrated into the Open Web Platform.

The W3C thanks J. Trent Adams, Internet
Society Outreach Specialist on Trust & Identity, for co-chairing the
workshop with me. Thanks also to the Mozilla Foundation for providing host
facilities. Special thanks also go to Yahoo!, Paypal, and RSA (The Security
Division of EMC) for sponsoring the workshop.

One thought on “Workshop Tackles the Hard Problem of Identity in the Browser”

SP’s Security Policy
Another area where standardisation is needed, is for a service provider site to be able to transfer its identity requirements (both authentication and authorisation requirements) in a standard format, via the browser, to an IDP (or proxy IDP, identity broker or hub etc.) as a standard MIME type, so that the recipient can obtain sufficient credentials from the user so as to allow the user to gain access to the SP’s protected resources.

Comments are closed.

The W3C blog is for discussions within W3C and the Web community at large. Announcements, issues on Web standards and educational materials among other topics are posted here; see the W3C home page for official announcements from W3C.